[aur-dev] Safe and relatively reliable PKGBUILD parser.
Jim Pryor
lists+aur-dev at jimpryor.net
Mon Jan 11 22:20:00 EST 2010
On Sat, Jan 09, 2010 at 09:23:56PM +0100, Xyne wrote:
> I first check the PKGBUILD with "/bin/bash -n PKGBUILD". If this
> command exits without error then the PKGBUILD contains valid syntax,
> most importantly it does not contain extra closing brackets ("}").
>
> This lets me wrap the entire PKGBUILD in a function, e.g.
> pkgbuild () {
> <PKGBUILD>
> }
>
> I can then source the file with Bash without executing any code. The
> previous check with "bash -n" guarantees that the PKGBUILD can not
> escape the wrapping function. Because all code is inside a function,
> sourcing the file does not execute any code at all.
>
> Bash simply parses the file and stores the code itself in the
> "pkgbuild" function, which itself contains other variables and
> functions (e.g. package_foo, build). Because the code has not been
> executed, the variables have not been expanded/interpolated and thus
> still contain things such s "http://example.com/$pkgname-$pkgver.tar",
> which is why it must still be intepolated by the parser.
I was brainstorming to think of possible exploits. It looks like this is
valid syntax:
echo normal stuff
exit 0
any funky stuff I want
pkgver=#$#%$%%^&^$@#$$@^ } more funky stuff {
Running bash -n on that gives 0. Now there's not necessarily anything
wrong here---unless your parser doesn't stop parsing at the exit command.
If it goes past that, then maybe exploits could be introduced, because
we wouldn't be entitled to the assumption that the rest of the code is
valid syntax.
--
Jim Pryor
profjim at jimpryor.net
More information about the aur-dev
mailing list